Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 13:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://hosting.tempauto.ru/Adobe.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
https://hosting.tempauto.ru/Adobe.rar
Resource
win11-20240426-en
General
-
Target
https://hosting.tempauto.ru/Adobe.rar
Malware Config
Signatures
-
Detect ZGRat V1 33 IoCs
resource yara_rule behavioral1/memory/4900-99-0x000000003DCD0000-0x000000003DD2E000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-101-0x000000003DE10000-0x000000003DE6E000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-145-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-153-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-161-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-159-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-157-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-155-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-151-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-149-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-147-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-143-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-142-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-137-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-135-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-133-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-132-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-129-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-125-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-123-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-121-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-119-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-118-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-115-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-113-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-111-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-109-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-107-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-105-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-139-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-127-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-103-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 behavioral1/memory/4900-102-0x000000003DE10000-0x000000003DE67000-memory.dmp family_zgrat_v1 -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/4900-94-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral1/memory/4900-97-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 4920 Adobe.exe 4900 dwewgsuF.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fusgwewd = "C:\\Users\\Public\\Fusgwewd.url" Adobe.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 api.ipify.org 41 api.ipify.org 44 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4920 set thread context of 4900 4920 Adobe.exe 114 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings msedge.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 4328 msedge.exe 4328 msedge.exe 1452 msedge.exe 1452 msedge.exe 3784 identity_helper.exe 3784 identity_helper.exe 1048 msedge.exe 1048 msedge.exe 4900 dwewgsuF.pif 4900 dwewgsuF.pif 4900 dwewgsuF.pif 6932 msedge.exe 6932 msedge.exe 6932 msedge.exe 6932 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 4748 7zG.exe Token: 35 4748 7zG.exe Token: SeSecurityPrivilege 4748 7zG.exe Token: SeSecurityPrivilege 4748 7zG.exe Token: SeDebugPrivilege 4900 dwewgsuF.pif -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 4748 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4900 dwewgsuF.pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1452 wrote to memory of 3596 1452 msedge.exe 81 PID 1452 wrote to memory of 3596 1452 msedge.exe 81 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 2608 1452 msedge.exe 82 PID 1452 wrote to memory of 4328 1452 msedge.exe 83 PID 1452 wrote to memory of 4328 1452 msedge.exe 83 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84 PID 1452 wrote to memory of 4660 1452 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hosting.tempauto.ru/Adobe.rar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ace946f8,0x7ff8ace94708,0x7ff8ace947182⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:82⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:2644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:3036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:82⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5184 /prefetch:82⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5288 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:6932
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2360
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4228
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1552
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap28572:72:7zEvent46871⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4748
-
C:\Users\Admin\Downloads\Adobe.exe"C:\Users\Admin\Downloads\Adobe.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4920 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\Downloads\Adobe.exe C:\\Users\\Public\\Libraries\\Fusgwewd.PIF2⤵PID:5112
-
-
C:\Users\Public\Libraries\dwewgsuF.pifC:\Users\Public\Libraries\dwewgsuF.pif2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
Filesize
187B
MD513782a4f38ec953f8680ded952447946
SHA11b2bf0ab8616dfd4b36655abefeecd114647d9c5
SHA256900d5ad4a4b754b605d1d0e7bd621875d15898c774fd8037e78006fa01703a97
SHA5127a1258750c91263586fd3a8717a32c04be4e18594390179cc32b7426fe7f8c3d09721ba4aebf0fa9a360710541ad32a7d9b5ce12a13501b54a327b4d6380b081
-
Filesize
6KB
MD5f2430146aad9de0d4ae0ac8c5c466a44
SHA132d81ea351353e7bb4ddd1f046dc722f75b85d3e
SHA25616026218f2849929f511e726e0b6ced0f9dfb2ef60f2657c0e8e38d9e0bb1293
SHA512b8a9e0a3f780b946bd4bfb0dfeb552762604c068b7410e1c0a12a2edc8ebcb0fb2ef84d924dbb6b1005b9751f8adaba5cc7729b9304caef1b4dab88a8f4a50a6
-
Filesize
6KB
MD57f35f896dea260eb57d808e64821c79f
SHA14412e0c484735fc3db5956b413754bf6d84f1f47
SHA2560be308204b5054d852a0156475f9038004c353a556a39f1adb170080c95e977e
SHA512ea3b01c2cfc475d9fe7898903c227882dcf6382e8b4ad331bdcac6f859e3c6a2a3d9ff319533b3c9b47b302c5940202b8762b2e557400676679fa212759b5738
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD556b1109c15cf413bbfe9415911c24866
SHA172e301b23eece466aa95833b357289112ae37aeb
SHA256ec6092c4e4d63a4056b2b3a2ae4b92aa38444edb321ff13a858e0ba7cd267ca2
SHA512de69297e5d4baccb642ff9e28b7a4ee4fea3243df7eda8bbb701a70394e3f0f3492b597e9145a54585a357706cc5ac90979d8da04b6f6f4787b94d1d9302320a
-
Filesize
11KB
MD51f42bf355139398397164adbdc73da17
SHA1bf72dd8c152767a37bb3bd0541713fcfa8363c45
SHA256c2dc12aca07ce9c197f21a0dfe0592a690332e171ddae37d1850620708aa9150
SHA512b9386c635eb5d3e2f553bda89c60ebc1f771cba8f7a877ce844d89fb8dbbac51e3d82e85a27977748fc7e529f4dabeb97d5b5467d7bfdc88f1b72344f9144652
-
Filesize
1.4MB
MD532769244b3c9180aaeda9bdbc94e3c28
SHA1a76ee5e814514bcdce374b2a12adb69f216be63c
SHA256fe396a1237d49be994cea981a0634f8535736c67942d050b43dca2c38038de52
SHA5126cf72600a174d64eb1f3513dbeeb4c445c619a2352836705796e7f636082b9178d99d08e7c7e6ff8162617b41e9ffc0f609a00916f0fb2a7d91ab499d3717f43
-
Filesize
412KB
MD588592b17526e132988cee3ad37f0d852
SHA1c49c43010c7e9d812437eed3cb8a1ac21812d81c
SHA256cd5999b7894bd16871b5f43adf2d2dd9c12e67977e01566ac39f09abb0d04835
SHA5121fc43dfdc57dfc52926c7d02ee3c9efde294e72bd015a8fb343bacce8e94004823ac0f9e630c45a2ae58dec36a18e30ba69ccb6e68dc58490f2e7ca201d2cd26
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6